rule rtf_cve2017_11882_ole : malicious exploit cve_2017_11882 {
    meta:
        author = "John Davison"
        description = "Attempts to identify the exploit CVE 2017 11882"
        reference = "https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about"
        sample = "51cf2a6c0c1a29abca9fd13cb22421da"
        score = 60
        //file_name = "re:^stream_[0-9]+_[0-9]+.dat$"
        id = "b6c59cf1-52e4-5c9e-b3c3-d973d52736e3"
    strings:
        $headers = { 1c 00 00 00 02 00 ?? ?? a9 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 03 01 01 03 ?? }
        $font = { 0a 01 08 5a 5a } // <-- I think that 5a 5a is the trigger for the buffer overflow
        //$code = /[\x01-\x7F]{44}/
        $winexec = { 12 0c 43 00 }
    condition:
        all of them and @font > @headers and @winexec == @font + 5 + 44
}

// same as above but for RTF documents
rule rtf_cve2017_11882 : malicious exploit cve_2017_1182 {
    meta:
        author = "John Davison"
        description = "Attempts to identify the exploit CVE 2017 11882"
        reference = "https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about"
        sample = "51cf2a6c0c1a29abca9fd13cb22421da"
        score = 60
        //file_ext = "rtf"
        id = "b6c59cf1-52e4-5c9e-b3c3-d973d52736e3"
    strings:
        $headers = { 31 63 30 30 30 30 30 30  30 32 30 30 ?? ?? ?? ??
                     61 39 30 30 30 30 30 30  ?? ?? ?? ?? ?? ?? ?? ??
                     ?? ?? ?? ?? ?? ?? ?? ??  ?? ?? ?? ?? ?? ?? ?? ??
                     ?? ?? ?? ?? ?? ?? ?? ??  30 33 30 31 30 31 30 33
                     ?? ?? }
        $font = { 30 61 30 31 30 38 35 61  35 61 }
        $winexec = { 31 32 30 63 34 33 30 30 }
    condition:
        all of them and @font > @headers and @winexec == @font + ((5 + 44) * 2)
}

rule packager_cve2017_11882 {
   meta:
      author = "Rich Warren"
      description = "Attempts to exploit CVE-2017-11882 using Packager"
      reference = "https://github.com/rxwx/CVE-2017-11882/blob/master/packager_exec_CVE-2017-11882.py"
      score = 60
      id = "57ff395e-e56a-5e63-bde6-f3cef038fcd6"
   strings:
      $font = { 30 61 30 31 30 38 35 61  35 61 }
      $equation = { 45 71 75 61 74 69 6F 6E 2E 33 }
      $package = { 50 61 63 6b 61 67 65 }
      $header_and_shellcode = /03010[0,1][0-9a-fA-F]{108}00/ ascii nocase
   condition:
      uint32be(0) == 0x7B5C7274 // RTF header
      and all of them
}

rule CVE_2017_11882_RTF {
   meta:
      description = "Detects suspicious Microsoft Equation OLE contents as used in CVE-2017-11882"
      license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
      author = "Florian Roth (Nextron Systems)"
      reference = "Internal Research"
      date = "2018-02-13"
      score = 60
      id = "400689ff-e856-5cbf-a7fa-93f6a8d8dbb9"
   strings:
      $x1 = "4d534854412e4558452068747470" /* MSHTA.EXE http */
      $x2 = "6d736874612e6578652068747470" /* mshta.exe http */
      $x3 = "6d736874612068747470" /* mshta http */
      $x4 = "4d534854412068747470" /* MSHTA http */

      $s1 = "4d6963726f736f6674204571756174696f6e20332e30" ascii /* Microsoft Equation 3.0 */
      $s2 = "4500710075006100740069006f006e0020004e00610074006900760065" ascii /* Equation Native */
      $s3 = "2e687461000000000000000000000000000000000000000000000" /* .hta .... */
   condition:
      ( uint32be(0) == 0x7B5C7274 or uint32be(0) == 0x7B5C2A5C ) /* RTF */
      and filesize < 300KB and
      ( 1 of ($x*) or 2 of them )
}

rule EXP_potential_CVE_2017_11882 {
    meta:
      author = "ReversingLabs"
      reference = "https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-cobalt-strike-payload-exploiting-cve-2017-11882.html"
      id = "199710e0-5094-5940-ad29-f01383d5d8c2"
      modified = "2025-06-03"
    strings:
        $docfilemagic = { D0 CF 11 E0 A1 B1 1A E1 }
        $equation1 = "Equation Native" wide ascii
        $equation2 = "Microsoft Equation 3.0" wide ascii
        $mshta = "mshta"
        $http  = "http://"
        $https = "https://"
        $cmd   = "cmd" fullword
        $pwsh  = "powershell"
        $exe   = ".exe"
        $address = { 12 0C 43 00 }

        $fp1 = "Tested with chamber evacuated to 1E-8 Torr on turbo pump" wide
        $fp2 = "d(3z2-r2) to d(x2-y2) is not experimentally identified yet in cuprates" wide
        $fp3 = "Preliminary results of MD simulation of Oxygen cluster infusion into Nb" wide
        $fp4 = "The Mixing is linked to the coefficients p and q" ascii
    condition:
        uint16(0) == 0xcfd0 and $docfilemagic at 0 and
        any of ($mshta, $http, $https, $cmd, $pwsh, $exe) and any of ($equation1, $equation2) and $address
        and not 1 of ($fp*)
}
